Posts tagged WSAM

Juniper SSL VPN Secure Access 6.5R2 Available – Windows 7

10
December 10, 2009
by Michael McNamara in

Juniper has released a new version of software for their SSL VPN (Secure Access) appliances. The new release, 6.5R2, hopefully corrects all the issues and heartache that 6.5R1 brought to Juniper’s customers. I won’t rehash the issues that we discovered in 6.5R1, if you haven’t heard about them you can go read the earlier posts on the subject;

I will be testing 6.5R2 on a spare SA4000 appliance (waiting for an evaluation license key from Juniper) and will share my results with everyone here.

You can find the release notes for 6.5R2 here.

Windows 7

When will Juniper Network’s SSL VPN (SA platform/IVE OS) support Microsoft’s Windows 7 OS as a supported client platform? You can refer to Juniper knowledge base article, KB13195.

Juniper states that “Microsoft Windows 7 is qualified” (not supported) on 6.5R2 and there should be no major issues aside from the know caveats/issues.

Known Issues/Caveats:

* All client components:

  1. 1. Unable to install (or) launch client component using IE8 (64 bit). This is expected as IE8 (64 bit) browser is not supported. Please use IE8 (32 bit) to avoid this issue. (470316)

* EndPoint Integrity:

  1. When using IE 8 on 64-bit Windows 7 the reason string is not available when a patch assessment policy fails. (485421)

* Secure Virtual Workspace (SVW):

  1. When opening a file with Windows Photo Viewer inside SVW, the file is shown on the real desktop rather than inside the SVW session. (447409)
  2. On Windows 7, saving a MS Office 2003 file inside SVW fails. (486104)
  3. On Windows 7, Control Panel is accessible inside SVW even if it is disabled under application to allow list. (486104)

* WSAM:

  1. If Kaspersky Anti-Virus Version 2009 (8.0.0.506) is installed on a Windows 7 (OR) Windows Vista computer, WSAM will not be able to intercept and secure traffic. This issue is not seen with older versions of Kaspersky Anti-Virus (434715).

Cheers!

Update: January 6, 2009

I should point out that I’ve discovered that JSAM will not launch properly with Windows 7 (64-bit) when running 6.5R1 software. I initially thought it might have something to-do with the 32-bit/64-bit versions of Internet Explorer or the 32-bit/64-bit versions of the Java Runtime Environment. I tested the same machine today with 6.5R2 and it worked fine using the 32-bit version of Internet Explorer. I didn’t try the 64-bit version of Internet Explorer. So it would appear the problem is resolved in 6.5R2 software, please see the forums for additional details.

Norton 360 and Juniper SSL VPN WSAM

3
October 2, 2009
by Michael McNamara in

Update: Thursday, October 8, 2009 I decided to rewrite this post to include all the information I’ve accumulated while troubleshooting the issues I’ve encountered deploying software release 6.5R1 for my organization. I can’t tell you how valuable it is to have access to a virtual machine with snapshot capability while testing all the different possible anti-virus, anti-spyware, and security software that’s out there in the wild with Juniper’s Windows Secure Application Manager. Since Juniper has yet to really release any useful information I thought I would add some additional notes to this post around the different software products that I’ve discovered can interfere with Juniper’s Windows Secure Application Manager (WSAM) client software.

If you’re a regular follower you know that we recently upgraded our Juniper Secure Access 4000 SSL VPN appliances from 6.2R1 to 6.5R1. You also know that we discovered that the old Juniper Installer Service from 6.2R1 is unable to upgrade the Juniper software components for non-Administrator users. You’ll need to manually install the Juniper Installer Service if your users are non-Administrators of the local computer they work on.

norton360Norton 360, Norton Internet Security, Norton AntiVirus 2010

We’ve been successful in duplicating customer reported issues between Norton 360 or Norton Internet Security or Norton AntiVirus 2010 and Juniper’s Windows Secure Application Manager (WSAM). Windows XP users running any of the above Norton products will generally experience a blue screen of death crash (IRQL_NOT_LESS_OR_EQUAL) when clicking on a bookmark that relies on the WSAM client. Windows Vista users running any of the above Norton products will generally hang the machine (only after the first reboot from the time the product was installed) when launching the WSAM client software upon logging into the Juniper appliance. As a side note to this problem, users running Norton 360 (v3.0.0.135) do not experience this problem, only users running Norton 360 (v3.5.2.11). Juniper Technical Assistance Center (JTAC) has acknowledged that a problem exists and is working to release 6.5R2 in November 2009 to address the problems with Norton.

Symantec AntiVirus v10.x

Users running Symantec Corporate Edition AntiVirus v10.0, v10.2 experience intermittent local name resolution issues from DNS, WINS and local NetBIOS name broadcasts while the WSAM client software is running. The name resolution issues are not present when WSAM is not running. A possible workaround is to create static HOST entries in the local HOSTS file (C:\Windows\System32\drivers\etc\hosts). JTAC has acknowledged that a problem exists, I’m still waiting for additional information from JTAC.

esetnod32ESET NOD32 Smart Security 4 and Antivirus 4

The testing in our lab has shown varied results. In some instances the latest and greatest release of NOD32 appears to work fine with WSAM. The later versions of NOD32 appear to add exceptions for the Juniper software components in the advanced configuration section under ‘Web Access Protection’. Older versions of NOD32 appear to block WSAM from communicating with the Juniper Secure Access Appliances even though the application indicates that it’s ‘Connected’. In our testing we did find that JSAM and NC both appeared to function properly with the latest version of ESET NOD32 installed. We’ve implemented a workaround for our customers using JSAM and that appears to be working for our users.

zonealarmCheck Point ZoneAlarm Security Suite

We’ve been able to re-create this problem and also have a ticket open with JTAC. We’ve tried adding exceptions and making IP addresses ‘trusted’ in Check Point’s language. We’ve been completely unsuccessful in getting this product to work with WSAM. The symptoms are identical to NOD32, where the WSAM application launches successfully and indicates that it’s ‘Connected’ but your unable to connect to any WSAM applications. In our testing we did find that JSAM and NC both appeared to function properly with ZoneAlarm installed. I have a support ticket open with JTAC but I haven’t received any feedback yet. We’ve implemented a workaround for our customers using JSAM.

I also learned from a user that Spybot Search & Destroy has a feature that can ‘lock’ the local host file on a computer preventing Java Secure Application Manager (JSAM) from operating properly.

Anyone else having any issues of findings they care to share?

Juniper SSL VPN Upgrade – Client Software

0
September 22, 2009
by Michael McNamara in

We use a pair of Juniper Secure Access 4000 appliances operating in a cluster configuration for high availability to provide remote access to our internal web based applications. We utilize Juniper’s Windows Secure Application Manager (WSAM) to provide secure access to web based and non-web based applications where the core rewriting functionality of the SA4000 is too slow or incompatible with the application.

We’ve been planning to upgrade from 6.2R1 to 6.5R1 so we can support our Windows Vista 64-bit users, a population that seems to be growing rapidly these days now that resellers are shipping machines with 4Gb of memory requiring a 64-bit operating system.

Over the past week we’ve been working (along with Juniper) to confirm that upgrading from 6.2R1 to 6.5R1 won’t cause us any unforeseen problems. We’ve tested the upgrade on a spare SA4000 and found no problems worth mentioning on the appliance itself. We did, however, encounter problems with the client software. The Juniper Installer Service is designed to automatically upgrade itself and any associated Juniper software such as Windows Secure Application Manager (WSAM), Network Connect (NC) and Hostchecker. The Juniper Installer Service is critical because it allows non-Administrator users of the personal computer to upgrade the Juniper software without requiring Administrator access. When you have a large deployment with hundreds or thousands of users (especially where those users are outside of your managed environment) it is crucial that this process work flawlessly. It would seem that the upgrade process between 6.2R1 and 6.5R1 is broken. In some discussions with TJAC they didn’t seem surprised by the information yet I don’t ever recall reading anything in the release notes acknowledging that problem.

non-Administrator users

I tested the upgrade process and the client software didn’t upgrade itself properly when a user without Administrator rights connected to the appliance. The browser would just hang at /dana/home/starter0.cgi?check=yes trying to check for the presence of the Juniper Installer Service. After about 30 seconds the browser would try to start Windows Secure Application Manager (if it was configured to launch automatically) and hang again. After another 60 seconds the appliance would try to launch a Java applet to install the WSAM client which would fail because the user wasn’t an Administrator of the PC and didn’t have the proper rights to install the WSAM client software.

Administrator users

If a user with Administrator rights connected to the appliance the browser immediately prompted the user to install the Juniper Installer Service (ActiveX object).  The Windows Secure Application Manager (WSAM) also installed/upgraded itself without issue along with the Network Connect (NC) client. In short there were no issues with the upgrade so long as the user was an Administrator of the personal computer.

Solution

The solution to the problem with non-Administrator users is simple but a painful task depending on how diverse your user population might be. An Administrator of the personal computer must manually install the Juniper Setup Client (formerly called the Juniper Installer Service) onto the personal computer. Once that task is complete non-Administrator users can connect to the Juniper appliance and any remaining Juniper software components will be properly installed through the Juniper Setup Client even though the user is a non-Administrator and doesn’t specifically have rights to install software.

In a previous post I hinted that the WSAM client didn’t function properly in 6.5R1 on a Windows Vista 64-bit computer. That problem seems to have remedied itself although I’m not really sure what changed or what might have been broken in my initial testing. All subsequent testing shows that WSAM works fine from a Windows Vista 64-bit computer. There are some documented issues using the 64-bit version of Internet Explorer within Windows Vista so I would advise users stick to the 32-bit version for now.

Cheers!
Update: Wednesday September 30, 2009

I thought I would post an update since this article seems to be attacking a lot of attention around the net. Over the past three months we had around 1,900 different users login from almost 3,400 different machines (users are mobile). While the majority of issues have been resolved by un-installing the Juniper client software, rebooting and re-installing the client software there are a few that require some extra configuration and one that is currently broken. If you are esetnod32-1running Nortel Internet Security 2009 or Norton 360 there is a unknown issues with the latest (GoLive update) version that will cause Windows Vista (Norton forums) to hang and Windows XP to blue screen. If you are using ESET NOD32 you’ll need to add specific exemptions for Internet Explorer and the Juniper programs, you can see a example to the left (click to enlarge).

I also had a brief discussion with JTAC this week in which I was told that the Juniper Installer Service and the Juniper Setup Client are two different pieces of software.  I’ll need to dig up some additional documentation to see if I can untangle that mystery.

Go to Top